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Abstract 

Recently, we have developed a PHYsical layer Phase Challenge-Response Authentication Scheme 
(PHY-PCRAS) for independent multicarrier transmission. In this paper, we make a further step by 
proposing a novel artificial-noise-aided PHY-PCRAS (ANA-PHY-PCRAS) for practical orthogonal fre¬ 
quency division multiplexing (OFDM) transmission, where the Tikhonov-distributed artificial noise 
is introduced to interfere with the phase-modulated key for resisting potential key-recovery attacks 
whenever a static channel between two legitimate users is unfortunately encountered. Then, we address 
various practical issues for ANA-PHY-PCRAS with OFDM transmission, including correlation among 
subchannels, imperfect carrier and timing recoveries. Among them, we show that the effect of sampling 
offset is very significant and a search procedure in the frequency domain should be incorporated 
for verification. With practical OFDM transmission, the number of uncorrelated subchannels is often 
not sufficient. Hence, we employ a time-separated approach for allocating enough subchannels and a 
modified ANA-PHY-PCRAS is proposed to alleviate the discontinuity of channel phase at far-separated 
time slots. Finally, the key equivocation is derived for the worst case scenario. We conclude that the 
enhanced security of ANA-PHY-PCRAS comes from the uncertainty of both the wireless channel 
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and introduced artificial noise, compared to the traditional challenge-response authentication scheme 
implemented at the upper layer. 


Index Terms 

Authentication, physical layer authentication, OFDM transmission, information-theoretic security. 

I. Introduction 

Ensuring security of wireless communications has becoming increasingly important. Openness 
of wireless networks makes them vulnerable to spoofing attacks where an unauthorized user 
masquerades as another legitimate user. In the past, conventional cryptographic security mecha¬ 
nisms were used to foil such attacks m, in which the identity of a user should be authenticated 
through a challenge-response process, namely, authentication and key agreement (AKA) protocol. 
The AKA protocol was revised O for stronger security from second-generation (2G) to fourth- 
generation (4G) systems. A recent AKA protocol, known as Evolved Packet System AKA (EPS- 
AKA) (Sl-llSl, has been proposed for the Long Term Evolution (LTE) system. The security of 
state-of-the-art EPS-AKA protocol comes from computational complexity, namely, the adversary 
has limited computational power. It is believed that more efforts should be done to prevent 
potential innovative attacks since the wireless medium offers novel avenues for intrusion. 

In recent years, various efforts [|^- lfT5ll have been made in authenticating the transmitter 
and receiver at the physical layer. In general, these physical layer authentication schemes can 
be classified as key based or keyless, according to whether a secret key shared between the 
transmitter and receiver is exploited to authenticate each other or not. In the keyless authentication 
schemes m-ffEi, some specific features of either the transmitting device or the specific channel 
between the legitimate users were exploited in order to authenticate the transmission. As an 
initial trusted transmission is often required for identifying the features, they might be difficult 
to implement in some practical scenarios. Instead, various key based authentication schemes 
(bl-llll are closer to the traditional challenge-response mechanism, but less prone to attacks due 
to the protection from the unique randomness of physical characteristics. 

Eor key based challenge-response authentication schemes, two legitimate users, Alice and 
Bob, shared a secret key. Whenever Alice transmits a random number as the challenge. Bob 
sends back a response (often called a tag), which is the output of a cryptographic hash function 
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with both the challenge and key as its inputs. By verifying the response with a locally generated 
tag, Bob’s identity can be confirmed. Indeed, both schemes in |l6l, 0 follow this authentication 
mechanism, which are implemented at the physical layer. In Q, both Alice and Bob presume 
public challenges, which are used to generate tags with the shared key, and the tag is physically 
encapsulated as an embedded fingerprint, which is conveyed with the primary transmission by 
superposition. The embedded fingerprint is often allocated with low power, which is further 
corrupted by the channel noise. Hence, its recovery is in general difficult for the adversary, 
as she/he faces a fundamental information-theoretic challenge, not purely a computational one. 
The PHYsical layer Challenge-Response Authentication Mechanism (PHY-CRAM) proposed 
in 0 implements the conventional challenge-response process at the physical layer, where 
the randomness of fading channel’s amplitude is used to protect both challenge and response 
(tag). Recently, we proposed a PHYsical layer Phase Challenge-Response Authentication Scheme 
(PHY-PCRAS) for multicarrier transmission in [fT^ . It requires the channel reciprocity and the 
randomness of channel-phase response ifTTll for the protection of the shared key from possible 
eavesdropping. 

By exploiting the randomness of physical channels, various physical layer authentication 
schemes may ensure unconditional security at least for some bits of the shared key (which 
cannot be broken even if the adversary has unlimited computational power). However, this 
enhanced security depends heavily on the underlying physical channel, which is often out of 
our control. In the worst case of static channels (for example, line-of-sight communications), 
this kind of unconditional security may not be guaranteed. In this paper, we consider to develop 
an improved version of PHY-PCRAS for practical OFDM transmission, which can guarantee 
enhanced security even in the worst case of static channels. 

The main contributions of this paper are summarized as follows: 

1) We propose a novel artificial-noise-aided PHY-PCRAS (ANA-PHY-PCRAS) for practical 
OFDM transmission, where the Tikhonov-distributed artificial noise is introduced to in¬ 
terfere with the phase-modulated key for resisting possible attacks. A strictly-positive key 
equivocation can be ensured even for the worst case scenario. 

2) We make a fine improvement on PHY-PCRAS ifT^ . where the estimate of phase differences 
between subcarriers is simply replaced by the direct estimate of subcarrier phases. This 
makes the implementation of PHY-PCRAS simpler. 
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3) A time-separated subchannel allocation scheme is provided to obtain a sufficient number 
of uncorrelated subchannels. Then, a modified ANA-PHY-PCRAS is proposed for use of 
time-separated subchannels, which shows its robustness in verification for alleviating the 
discontinuity of channel phase at far-separated time slots. 

4) Various practical issues are discussed with non-ideal OFDM transmission, including im¬ 
perfect carrier and timing recoveries. In particular, we show that small sampling offsets 
often result in significant frequency offsets along the allocated subcarriers, which should 
be compensated for proper verification. 

5) We also provide an application model for generating the shared keys between two legitimate 
nodes in 4G mobile networks. Hence, the conventional challenge-response authentication 
scheme employed in 4G networks might be replaced by ANA-PHY-PCRAS with enhanced 
security. 

The rest of the paper is organized as follows. In Section II, we propose an ANA-PHY-PCRAS 
for perfect OFDM transmission, and a time-separated subchannel allocation scheme is presented, 
along with a modified ANA-PHY-PCRAS. Section-Ill is devoted to practical issues with non¬ 
ideal OFDM transmission. The security analysis of ANA-PHY-PCRAS is given in Sectiion-IV. 
Simulation results are presented in Section-V, and the conclusion is made in Section-VI. 

II. ANA-PHY-PCRAS FOR Perfect OFDM Transmission 

In this paper, we employ a common Alice-Bob-Eve model, where two trusting parties, Alice 
and Bob, share some common secrets and they want to authenticate each other, while Eve, as 
an opponent, has no any knowledge about the shared secrets and wants to impersonate Alice or 
Bob. 

From the viewpoint of modern cryptography, the development of cryptographic primitives 
should consider the worst case scenario. In the past, various physical layer authentication schemes 
were proposed and claimed enhanced security of information-theoretic nature, which, however, 
depends heavily on the randomness of the underlying physical channel. Whenever the physical 
channel happens to be static, there is simply no guarantee of enhanced security. Therefore, it 
is essential to consider the worst case of static channels between Alice and Bob for developing 
physical layer authentication schemes. 
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A. Basic Idea of ANA-PHY-PCRAS 

We propose a novel ANA-PHY-PCRAS for OFDM transmission, whieh makes two nontrivial 
improvements on PHY-PCRAS ifT^ . 

Firstly, ehannel uneertainty has been proved to be essential for ensuring enhaneed seeurity 
in various physieal layer eryptographie approaehes. For ANA-PHY-PCRAS, we introduee the 
Tikhonov-distributed artifieial noise to interfere with the phase-modulated key, whieh eould be 
used to ereate artifieial ehannel uneertainty. Therefore, the minimum amount of enhaneed seeurity 
of information-theoretie nature ean be guaranteed even in the worst ease seenario. This eontrasts 
sharply to various reported physieal layer authentieation sehemes, whieh rely solely on the 
randomness of the physieal ehannel. Whenever the ehannel randomness appears, ANA-PHY- 
PCRAS ean be proteeted by the uneertainty from both the physieal ehannel and artifieial noise. 

Seeondly, we make a fine improvement on PHY-PCRAS, where the estimate of phase differ- 
enees between subcarriers is simply replaced by the direct estimate of subcarrier phase. It does 
work as we use a noncoherent metric for verification, which remains unchanged for any random 
but constant phase increment over all subcarriers. 

B. Signal Model for Perfect OFDM Transmission 

In this paper, we assume a multipath fading channel between Alice and Bob. It is often 
associate with a channel coherence time Tc, below which the channel is considered as temporally 
correlated. 

Assuming an OFDM system with N subcarriers, a bandwidth of W Hz and symbol length 
of Tf = Tu + Tg seconds, of which, Tg seconds are due to the length of cyclic prefix (CP), and 
Tu = N/W. In the following, we use = T^/N = 1/W to denote the sampling period. 

The transmitter uses the waveforms 



( 1 ) 


/c = 0,l,-- - ,A^ — 1 and the transmitted baseband for an OFDM symbol is 

N-l 


sit) = ^ XkUkit), 


( 2 ) 
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where Xk = A; = 0,1, • • • , iV — 1 are complex numbers from a signal constellation. Since 
we focus on a phase challenge-response scheme, M-ary PSK modulation is preferred, and hence 

ojj. e = lo — • • • 

“ \U, J. 

The signal is transmitted over a frequency-selective fading channel 


h(T,t) = J2ai(t)d(t-Ti), (3) 

i 

where r* is the delay of the i-th path and ai{t) is the corresponding complex amplitude. Assuming 
the receiver filter is flat within the signal bandwidth, the received signal is 


r{t) = '^ai{t)s{t - Ti)+w{t), (4) 

i 

where w{t) is an additive white Gaussian noise process. 

Sampling the signal at time instants tn = nTg yields 


^(^n) = ai{tn)s{tn - Ti) + w{nTs). (5) 

i 

For convenience, assume that the delays r^’s are integer multiples of Tg. With the sampling 
period of Tg = 1/bF, the number of resulting samples for each OFDM symbol is Nf = N + Ng, 
where Ng denotes the length of CP. After removing the guard interval and taking the fast Fourier 
transform (FFT) to the received signal, we get 


Vk = hkXk+ Wk,k = 0,1,-■ ■ ,N - 1, (6) 

where i/k = with = r((n -f Ng)Tg), and 

hk = hk{tn) = (7) 

i 

which keeps constant at least over one OFDM symbol. 

Let /c denote the carrier frequency at the 0th subcarrier. With perfect OFDM transmission, it 
can be viewed as parallel multicarrier transmission with a set of carriers = {/c, /c + ^, /c + 


C. Subchannel Allocation for ANA-PHY-PCRAS 

As a challenge-response process for ANA-PHY-PCRAS, Alice sends a challenge signal to 
Bob, Bob sends back a response signal, which can be verified by Alice with the shared secret 
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key. With OFDM transmission, L < N subcarriers {/o, /i, •'' > /l-i} C are selected. We shall 
show later that the perfect security of ANA-PHY-PCRAS requires independent fading among L 
carriers. Hence, these carriers should be well separated. 

Let T = [0, iV — 1] be the set of indexes for N subcarriers in 5^. To ensure independence 
among L subchannels, one has to find a subset of indexes S = {/q, • • • , Il-i] C F (of size 

L) with minimum mutual correlation, namely. 


= arg min max \piaX 


( 8 ) 


where 


A 7—I 

Pii,ij = E 


hrhl 


E[\hi^\^]E[\hi^\^] 


( 9 ) 


since E[hl^] = 0,7 G [0, L — 1]. In practice, the allocated subchannels are often equally spaced, 
and the value of Ai = — li determines the minimum mutual correlation. 

1) Channel model with exponentially decaying power-delay profile: Consider a time-invariant 
version of the multipath fading channel model Q, where a/s are zero-mean complex Gaussian 
variables with a power delay profile 9{fi) and A = The normalized delays fj’s are assumed 
to be uniformly and independently distributed over the length of CP (fj G [0,A"g]), and an 
exponentially decaying power-delay profile takes the form of 6*(fj) = With this channel 

model, it was shown in [fT^ that the normalized correlation between subcarriers li and I 2 is a 
function of frequency separation A/ = (I 2 — li)/N, which takes the form of 

^ _ ^-Ng(^f^l+2TTj{l2-h)/N'^ 


Ph,h 


( 10 ) 


rrms(l - e “ h) / N) 

Scenario 1: Consider the scenario where the system operates with a bandwidth of kF = 20 
MHz, which is divided into N = 2048 tones with a total symbol period of 108.8 /is, of which 
6.4 /iS constitutes the CP. Hence, Ng = 128 and Nf = N Ng = 2176. 

Let a-r- be the time delay spread. For the Scenario [H with a-r = 0.5 ps, it gives that Trms = 10, 
and the frequency-spaced correlation function is plotted in Fig. [TJ 

2) Time-separated subchannel allocation: It has been shown that two subchannels could 
be nearly uncorrelated if they are sufficiently separated, which, however, limits the number 
of available subchannels for the purpose of physical layer authentication. Consider again the 
Scenario [B Whenever the allocated subchannels are equally separated with A(. = 128, there are 
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Fig. 1. Frequency-spaced correlation function. 


only L' = 16 + 1 = 17 well-separated subehannels and the minimum mutual eorrelation is about 
0.2468. 

In ifT^ . we have shown that the security of PHY-PCRAS depends on the number of indepen¬ 
dent subchannels. With BPSK modulation, the size of shared key is equal to the number of inde¬ 
pendent subchannels. Hence, it is important to allocate much more independent subchannels for 
use in PHY-PCRAS. Fortunately, one can allocate more subchannels over sufficiently-separated 
time slots (OFDM symbols). 

The time-separated subchannel allocation scheme is shown in Fig.[2l With sufficiently-separated 
carriers, there are only L' carriers /o, /i, • • • , fi'-i for use. However, one can repeatedly employ 
such L' carriers at times - ■ ■ , fj_i, where tj = to + j ■ 5T. To ensure independent fading 
among different time slots, the minimum time interval between two neighboring time slots should 
be significantly larger than the channel coherence time, namely, 5T >> Tf.. 

Coherence time is the time duration over which the channel impulse response is considered 
to be constant. Channel variation is mainly due to Doppler effects. Using Clarke’s model, the 
coherence time is often selected as T^. = where fo denotes the maximum Doppler 

frequency. Consider now that the system operates at carrier frequency of 1.9 GHz. In typical 
urban areas [fT^ with a mobile speed of 50 km/h, fo ^ 88 Hz and Tc ~ 4.8 ms. 
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Fig. 2. Time-separated allocation of OFDM symbols for PHY-PCRAS. 


With a challenge-response approaeh shown in Fig. [3l Aliee starts the transmission of ehallenge 
signal at time tao, whieh arrives at Bob later at time tao + St, where St denotes the transmission 
delay between Aliee and Bob. Then, Bob sends baek a response signal at time t^Q. Define 
^tba = tbo — tao- Clearly, /S.tba > St. PHY-PCRAS depends on the reciprocity of the channel 
between Alice and Bob. It is understood that the channel keeps constant during the coherence 
time Tf. and hence the channel reciprocity requires that Atba < Tc — Tf, as shown in Fig. \2l 

D. ANA-PHY-PCRAS 

For ease of deseription, we first assume that all the alloeated subehannels are from a single 
OFDM symbol. Later, we shall present a modified ANA-PHY-PCRAS scheme for the time- 
separated subehannels shown in Fig. |2l In what follows, we suppose that the shared keys between 
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Fig. 3. ANA-PHY-PCRAS for OFDM transmission. 


Alice and Bob are denoted as {/Ca,/Cb}, where eaeh key ean be eonsidered as a sequenee of 
random bits. 

1) PHY-Challenge: Consider that Alice wants to start a eonversation with Bob as shown in 
Fig. [3l Aliee sends a “ehallenge” frame to Bob starting at time instant ta, whieh is employed by 
Bob for estimation of ehannel phases at multiple earriers. Essentially, Aliee sends equal-phase 
modulated sinusoids {Xk = l,k = 0,1, • • • , L — 1) at frequeneies /o, /i, • • • , fi-i during the 
period of a single OFDM symbol f G [ta,ta + Tf], namely, 

L-l 

SA{t) = ^ [ta,ta + Tf]. (11) 

k=0 

With perfeet OFDM transmission, the waveforms can be viewed as “mutually orthog¬ 

onal” Q at the reeeiver even they undergo multipath fading ehannels (after insertion and deletion 
of the CP). Equivalently, the received signal at Bob ean be represented as 

L-l 

^ -f w{t),t e [ta + 5t,ta + 5t + Tf\. (12) 

fc =0 


'Actually, they are only orthogonal in the discrete time domain, the continuous form is employed to show the time-related 
issues for convenience. 
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where hk = G A, /c = 0,1, • • • , L — 1 are assumed to be eonstant during 

t G [ta,ta + 5t + Tf], and ^{hk) = Ok are ehannel phase responses at L subearriers. Henee, a 
parallel fading ehannel model = \hk\e^^’‘ + Wk, fc = 0,1, • • • , A — 1 is assumed with perfeet 
earrier and timing reeoveries (please refer to db])). 

Then, Bob estimates the phase at eaeh subearrier fk, namely, 

Ok = AVk) = dk + AOk, k = 0,l,--- ,L-1. (13) 


where AOk denotes the estimation error. Noting that we use the absolute channel phase estimates 
6k while the estimates of channel phase differences are employed in PHY-PCRAS IHW . Compared 
to PHY-PCRAS, the direet estimate of ehannel phase simplifies the implementation and its 
robustness against the reeeiver oseillator remains unchanged as shown later. 

2) PHY-Response: At this stage. Bob responds to Alice with a tagged signal, which encap¬ 
sulates the shared key Kb = [kq, ^i, • • • , «^l-i]^ in the form of 

L-l 

k=0 

where pk = 27r^ G fl, ka; G {0,1, • • • , M — 1} since we assume M-ary PSK modulation, and Vk 
denotes the introduced artificial noise. We assume that Vk, k = 0,1, ■ ■ ■ , L — 1 are independent 
and identically distributed (i.i.d.) with the same probability-density-function (pdf) fv{x). Here, 
we employ the Tikhonov distribution for fv{x), namely, 

cos(x) 

where P > 0 determines the dispersion of the distribution, and loiP) is the modified Bessel 
function of the first kind and 0-th order, and x is confined to a support of length 2% in the 
vicinity of 0. The use of Tikhonov distributed artificial noise is due to the fact that the Tikhonov 
distribution maximizes the entropy when the mean and variance of (or the circular mean and 
circular variance of v) are specified [l20l . 

Then, the received signal at Alice is given by 


L-l 

^Ait) = EM ^3{f'^fkt+{‘Pk-K+Vk)+Sk) _|_ 

k=0 

L-l 

= Y + w(t), 

fc =0 


( 16 ) 
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where t G [4 + 6t, th + 6t + Tf], and A§k = Ok — Ok- 

With perfeet earner and timing reeoveries, sampling the signal with frequeney ^ ean obtain 
Nf samples for eaeh OFDM symbol, as shown in Section-II.B. After removing Ng samples for 
the guard interval, N samples are transformed using FFT to retrieve L parallel channels (without 
ISI) at carriers /fc, /c = 0,1, • • • ,L — 1 as 

yk = Pke^"^^ +u!k,k = 0,1,-■■ ,L-1 (17) 

with pk = Yar{wk} = 77 ^. 

Hence, the received vector in its complex form can be written as 

y = [PO^O, Pl^i, • • • , pL-l^L-lf + W, (18) 

where kk = , k = 0,1, - ■ ■ , L — 1. 

E. Verification 

To complete the authentication process, Alice requires verifying whether the response signal y 
is from Bob or not. If the response signal is not from Bob but Eve (an impersonation attacker), it 
is assumed that Eve generates a length-L M-ary random vector K-e for authentication as there is 
no information about JCb available to Eve. Essentially, this is cast as a binary hypothesis testing 
problem ll^ : 

Hi : ICt = ICB 

Ho : ICt = ICE (19) 

where ICt denotes the acknowledged key. 

The optimum binary hypothesis testing was formulated in ifT^ . which is difficult to solve in 
general. Instead, we propose to use the test statistic 

C=l7r>7 = ^sy, (20) 

where denotes the conjugate transpose of x. Then, C, is compared to a threshold value i for 
making a final decision. 

In both hypotheses, p is the sum of L dependent identically-distributed random variables, 
which could be approximately regarded as normally distributed for large L from the central limit 
theorem, especially when the dependence among random variables is weak 1^. Hence, ( = \p\'^ 

^The use of i.i.d. artificial noise over time in ANA-PHY-PCRAS makes the dependence among random variables weaker. 
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is noncentrally chi-squared distributed with 2 degrees of freedom, the pdf of whieh ean be 
expressed as 



( 21 ) 


where E{(} = a'jj^ -f A and Var{C} = + A) under hypothesis z = 0,1. In Il22l . it 

was shown that A and aj^. ean be estimated from the moments of ( as 



Wfe point out that the use of l/C^yl for verification makes ( unchanged for any random 


but constant phase rotation among all subcarriers. Therefore, the estimate of phase differences 
— (^ 0 , k = 1, ■ ■ ■ , L — 1 between subcarriers in PHY-PCRAS KWH is simply replaced 
by the direct estimate of subcarrier phases 0k,k = - ■ ■ , L — 1. Even if the reeeiver oseillator 

may introduee a random but eonstant phase rotation among all subearriers, it does not pose a 
ehallenge for praetieal implementation if there is only one single oseillator in the reeeiver for all 
subearriers. Furthermore, there is no stringent requirement on a eommon time referenee between 
users due to the use of noneoherent metrie, whieh is in sharp eontrast to the seeret generation 
approaeh proposed in ll2^ . 

F. Modified ANA-PHY-PCRAS for Time-Separated Subchannel Allocation 

Consider the time-separated subehannel alloeation seheme shown in Fig. |2l With a total of 
J time slots (tm,rn = 0, • • • , J — 1), a key ean be divided into J sub-keys, namely, K.b = 
[/Cq , • • • and eaeh sub-key ean be delivered through L' earners. 

When Aliee ehallenges at J time instants tam-,fn = — 1 with L' subearriers for 

eaeh time instant. Bob extraets L' subearrier phases at eaeh time instant, and responds to Aliee 
at time instant tbm with a tagged signal eontaining the m-th sub-key /Cm- Finally, the reeeived 
signal at Aliee during t G [hm + St, tbm + St + Tf] in a base-band eomplex veetor form ean be 
written as 


y(tm) = ■ [po(tm)fio, ■ ■ ■ , PL-l(tm)kL-lf + w(tm), 


where Ooitm) denotes a random but eonstant phase due to the reeeiver’s oseillator during t G 


\tamythni 2~y], and pkitm) 




)] 
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For the robustness of implementation, we always assume that 9o(tm),m = 0,1, • • • , J — 1 are 
independently random variables over (—tt, vr], whieh means that ehannel phase diseontinuity is 
observed over far-separated time slots. Henee, this diseontinuity at different time slots should be 
seriously eonsidered for verifieation, and a noncoherent combining method is preferred. Here, 
we propose a suboptimum hypothesis testing method, which employs a noncoherent combining 
metric 

j-i 

C = ^\Vmf ,Vm = ( 23 ) 

m=0 


With sufficient separation in time, rjm’s are independent complex Gaussian variables of the 
same variance. The sum of squares of J independent complex Gaussian variables of the same 
variance is noncentrally chi-squared distributed with 2J degrees of freedom, which yields the 
pdf of 


/c(^) 




J—1 x+A 




( 24 ) 


where both A and cr|^. can be again estimated from the moments of ( as shown in (l22l) . 

The cumulative distribution of C can be described by the generalized Marcum Q-function, 
which is given by 

F^{xm = l-Qj(^, , * = 0,1 (25) 

with Qj{a,b) = 

The authentication is typically claimed if C ^ The threshold l of this test is determined for 
a false acceptance rate (or false alarm probability) P/ according to the distribution of Cl-^o 


L = arg max Qj 


A 


2 ’ 2 


<pf- 


The successful authenticate rate (or detection probability) can be simply computed as 

Pd = Q.‘ ^ ' 


2 ’ 2 


( 26 ) 


( 27 ) 


Compared to ANA-PHY-PCRAS, the use of (1231) results in noncoherent combining loss for the 
modified scheme, which, however, does not require the assumption of phase continuity among 
different time slots. 
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III. Practical Issues with Nonideal OFDM Transmission 
A. Practical Issues 

For a practical OFDM receiver, there is often a loeal earrier frequeney oscillator for demodula¬ 
tion, with which the received radio signal can be eonverted from radio frequency into baseband. 
Then, the baseband signal is sampled and diserete-time samples are obtained for subsequent 
proeessing, where the sampling cloek is derived from a local oscillator. Practically, both timing 
and carrier referenees are asynehronous between the transmitter and reeeiver. Henee, in a real- 
world passband transmission system, the following parameters can cause disturbanees in the 
reeeiver. 

1) The earrier frequency oscillator for demodulation at the reeeiver ean be different with 
the transmitter oseillator, resulting in a earrier frequeney offset of A/ and a random but 
constant phase offset of <l>o- 

2) The sampling time at the receiver has a constant symbol offset c = n^Tg compared to the 
transmitter time. 

3) The sampling time at the reeeiver has a sampling cloek frequeney offset of c = {T^—Ts)/Ts 
eompared to the transmitter time, where the sampling period employed at the receiver 
is deviated from the desired sampling period Tg. 

For simplicity of notation and in order to focus on the pure imperfections at the receiver, we do 
not include the artificial noise in this section, which, however, is fully considered in simulations. 


B. The Effect of Carrier Frequency Offset 

Whenever the condition 1) occurs, the reeeived samples ean be written as 


= r((n + Ng)Tg) = ^ ( 28 ) 

i k 

where i? = AfT^, and NgAfTg is included in $o for convenience. As the multipath channel is 
assumed to be eonstant during at least one OFDM symbol, we simply use ai instead of afit) 
for the Ah path gain. 

After the removal of guard interval from the reeeived samples, the application of FFT yields 


Uk 


]Vsin(f) 


^k^k F Ik F 


(29) 
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where 


l^k 


J2.((i-k+^)£i^) sin(7ri^) 




-hiXi 


(30) 


denotes the interehannel interferenee (ICI). Due to the use of noneoherent metrie (|2^ for 
verification, the extra phase 2'K{'d^^ + $ 0 ) has no impact. 


It should be noted that with the presence of carrier frequency offset, the direct loss in SNR 


4 can be approximated by If24l 


dB and the frequency offset noise power due to the introduction of ICI 

(31) 


TT 


^ y(A/T4^ 


for the normalized channel gains, namely, E {\hk\‘^} = 1. 


C. The Effect of Sampling Offset 

With a non-zero symbol offset £ = nfTs, the channel impulse response “seen” by the receiver 
is also shifted in the time scale by e, which yields 

/ie(r, f) = hfr - e,t - e) = Uif - e)5{T - r* - e) ^ ^ ai{f)5{T - Ti - nfTs). (32) 

i i 

since ai{f) is assume to be constant during at least one OFDM symbol. Just like in (|7]), the 
equivalent channel gain at the k\h carrier can now be written as 

mn) = Y. . ( 33 ) 

i 

With a time-shift of nfTs, the input samples for demodulation are also shifted by n^, which 
results in both intersymbol interference (ISI) and ICI. The ISI arises since one OFDM symbol 
window with a nonzero shift 0 will actually be covered by two OFDM symbols, while ICI 
is due to the corruption of orthogonality among subcarriers when 4 0. Hence, by neglecting 
a minor loss in SNR for large N, demodulation of the subcarrier via FFT yields Il24]| 

Vk = + ik + Wk, ( 34 ) 


where 4 is the disturbance caused by both ICI and ISI. The disturbance can be well approximated 
by Gaussian noise with power [l24ll 


- 




' N 


Aei 

N 



(35) 


February 19, 2016 


DRAFT 










17 


where 


71 — —^ 

' T' I 

s 



Us, 0 < UeTs < -{Tg- Ti) 

0, otherwise 


(36) 


\ 


With a ehallenge-response proeess, ANA-PHY-PCRAS involves two rounds of eommuniea- 
tions. Henee, the receiver imperfections from both Alice and Bob should be considered together. 
Let ?7,“, nl be the normalized sampling symbol offsets of Alice’s and Bob’s receivers, respectively. 
When Alice challenges, Bob estimates the channel phase at subcarrier f^. With the sampling 
symbol offset nl, this phase estimate must include an extra increment over frequency, namely. 



(37) 


where 61 is the non-biased estimation error with zero mean, and h = Iq + kAi. 

When Bob responds to Alice, Alice also introduces her sampling symbol offset n“, and she 
can finally manage to obtain L parallel channels at subcarriers fk, k = 0, ■ ■ ■ ,L — 1 as 


Vk = +ik + Wk,k = 0,--- ,L-1 


(38) 


where zu = 27r(n“ — n^) • = 27r(?7,“ — n^) ■ Pk = \hk\e and 4 denotes the interference 

due to the sampling offset at Alice. 

D. The Effect of Sampling Clock Frequency Offset 

With a sampling clock period of T^', the received samples at t'^ = {n + Ng)Tg can be written 
as 



i i k 



i k 




k + k<; 
N 


(39) 


k 


Demodulation of the subcarrier yields [l24ll 



(40) 


where = kq and ik is the disturbance caused by ICI. 
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Consider a sampling clock frequency offset up to ±100 ppm (<^ = 10 '^) for an OFDM system 
of iV = 2048 subcarriers. The multiplicative factor results in some loss in SNR, which is 

less than 0.3 dB in the worst carrier. The sampling frequency offset also results in an incremental 
phase rotation over subcarriers, which is the same to (l38l) . 

E. Verification under Practical Imperfections 

With a challenge-response approach, we focus on the final verification in the response stage. 

As depicted in Section-III.C, an equivalent frequency offset due to sampling offset at the stage 
of challenging should be considered. 

By including all the above imperfections, the demodulated subcarrier at is given by 

Vk = + ik + Wk, (41) 

where 

^ ^ ^^ «-ri‘)A< + iV,c + (iV-lK/2 ^ ^^2) 

00 = irAfTuiN - 1)/N + 27r« - n%/N + $ 0 , (43) 

and ik is the disturbance caused by both ICI and ISI. 

Consider the modified ANA-PHY-PCRAS for the time-separated subchannels. With the chan¬ 
nel model (HTh under practical imperfections, we propose to employ a refined non-coherent 
combining metric 

,7 

c = maxV |/Cj^A(t^7)y(fm)|\ (44) 

m=l 

where A(ci7) = diag(l, ■ ■ ■ , and J time slots starting at = 0,1, • • • , J— 

1 are employed. Compared to (l23l) . the refined metric includes the effect of residual frequency- 
offset (l42l) due to various imperfections. 

For the Scenario. [T| with A£ = 128, we have that ^ which can result in a very 

large frequency offset (l42l) even with a small value of |n“ — Therefore, the search of 
frequency shown in (l44l) should be seriously considered in practice. Noting that the contribution 
of ([ 42 ]) due to sampling clock frequency offset is minor compared to sampling 

offset. 
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IV. Security Analysis 

In this section, security analysis is presented. For ease of analysis, we focus on the basic 
ANA-PHY-PCRAS over a single OFDM symbol. 

A. Noncoherent Channel Model for Eavesdropping 

As a passive attacker. Eve only monitors all frames inside the network during authentication, 
and tries to learn {1Ca, ICb) from whatever it gets. 

By monitoring the response signal from Bob, the received signal at Eve is given by 

L-l 

rE{t) = ^ l^fcl cos (271 fkt + {(fk -0k + Vk) + 4 ) + WE{t), (45) 

fc =0 

where hk = \lik\e^^^, 9k is Eve’s channel-phase response when Bob transmits a zero-phase 
sinusoidal signal at frequency fk, 9k is Bob’s estimate of channel response 9k when Alice 
challenges, and WE{t) is the noise process observed by Eve. 

Due to the orthogonality among different subcarriers, one can retrieve the discrete signal vector 
from (1451) as = [zq, ■ ■ ■ ,zl-i\'^, where 

Zk = -f Wk, (46) 

and 'fk = {h - 9k) + Vk- 

Eor security analysis, we focus on the key equivocation or the conditional equivocation about 
the key, namely, H{Kb\zq~^). As 

H{ICb\z^-^) = H{ICb) - I{zt"-, ICb), (47) 

where I{X;Y) denotes the mutual information between two random variables X and Y, it 
is equivalent to compute the mutual information I{zq~^;)Cb) or its bound. If I{zq~^;ICb) < 
6H{ICb), it follows that H{}Cb\zq~^) > (1 — 5)H{1Cb)- Hence, the successful probability for an 
eavesdropper to guess the key is about the ideal case of I{zq~^] ICb) = 0, we have 

that H{ICb\zq~^) = H{Xb), which means that the successful probability for an eavesdropper 
to guess the key is about the same as a random guess. Whenever I{zq~^]1Cb) = 0, 

information-theoretic security is ensured. 

With a noncoherent metric for verification, the shared key /C^ is essentially conveyed in 
the differences of modulated phase sequence This means that we are interested in the 
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noncoherent ehannel model of (|4^ . where the mutual information K,b) is determined by 

the sequenee of phase differenees {^ipk = but not on 'ipQ. To be more rigourous 

for seeurity analysis, we always assume that Eve has the eomplete knowledge about the ehannel, 
whieh means that A9k = 0 (as it can be perfectly compensated by Eve). Since A^pk = AO^ — 
A6k + Avk, we have that A'^^. = —A9k + Avk, or 

'i’k = ~^k + + -^5 ( 48 ) 

where A denotes an unknown but eonstant phase rotation over the subehannel index k. Here, A 
is often assumed to be uniformly distributed over (—7r,7r]. 

B. Information-Theoretic Security under Independent Parallel Fading Channels 

Eor wireless rieh-scattering fading channels, the observations of Eve remain independent from 
the ehannel-speeifie observations of Aliee and Bob, if Eve is loeated more than half a wavelength 
away from these two users ifTTll . If25ll . In this case. Eve eannot get a feasible estimate about 9k 
based on the monitoring signal when Aliee initiates a ehallenge. Henee, it is fair to assume that 
Eve has no any knowledge about either 9k or 9k- 
Lemma 1: Eet 0i, 6*2 G (—vr, vr] be two random variables on a eircle and 6 * = 6*1 + 02 mod 27r, 
where 9 G (—7r,7r]. If 9i is uniformly distributed over (—7r,7r] and 02 is independent of 0i, it 
follows that 0 is also uniformly distributed over (— vr, vr], whieh is irrespective of the distribution 
of 02 - 

Proof: Eet fe^^x), fe^i^x), fo{x) denote the pdfs of 0 i, 02 , 0 , respeetively. Eor a uniformly 
distributed random variable on a eirele, we have that fe^ (^) = 2 ^ if X G (— TT, tt], zeros otherwise. 
Sinee 02 is independent of 0i, it follows that 

/e(^) = y feiit)fe2{x-t)dt= ^ J fe^{x - t)dt = ^ 

for X G (—TT, tt]. ■ 

If the L parallel fading ehannels at subearriers /fc,/c = 0,l,•••,+ — 1 between Aliee and 
Bob are independent, we have that either 9k or their estimates 9k, k = 0, • • • ,L — 1 are i.i.d, 
eaeh of which is uniformly distributed over (—7r,7r]. Since Eve’s ehannel phase response 0^ is 
independent of 0^ and by noting Eemma 1, it is elear that fk,k = 0,l,--- , L — 1 (|4^ are also 
i.i.d and uniformly distributed over (—7r,7r]. This means that 

I{z^-^;ICb) = 0. ( 49 ) 
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Therefore, there is no hope for Eve to extract any reliable information about the key Ka- In this 
case, information-theoretic security can be perfectly ensured. 


C. Equivocation Analysis for Static Parallel Channels 

The worst case for the purpose of authentication is to consider the scenario, where the L 
parallel channels between Bob and Alice (or Eve) are all assumed to be static over a long 
period. This means that 6 ^ can be well estimated before the start of authentication and further 
compensated in (|4^ by Eve, who may get a clean version of the received signal 

Zk = = 0,1, • • • , L - 1. (50) 

As Eve can be located very close to Bob, her observation may be free of noise, which is the 
worst case for addressing the security issue. In this case. Eve can directly extract the phase of 
Zk, namely. 


(t)k = ^k + Vk + \,k = D,l,--- ,L-1 


(51) 


where fk = ^{zk). 

Hence, the mutual information between Zq~^ and ICb can now be computed as 


1(4 ^/Cb) = /(0o ') = log2 


lL-1. ,„L-1 


0 1*1^0 




L-l\ ’ 


where 


p(0o Vo = / p(0o Vo \A)p(A)dA 




f JJ fvifk -Pk- X)p{X)dX 

k 

h (eV cos(0fc - (^fc)) + (E V sin(0A: - ^k)) 

[2vr/c 


(52) 


(53) 

with Ii{x) denoting the modified Bessel function of the first kind and 1-th order. Since yj^’s are 
uniformly, i.i.d. over the discrete values. 


p(V ^) = p(V Vo ^)Pi.Po 


(54) 


V’o 6^^ 


where ^(v^o ) = igr for equally-distributed M-PSK constellations. 
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Lemma 2: Consider the worst ease seenario, where the ehannel between Aliee and Bob is 
statie and Eve ean get a noise-free version of the transmitted signal by either Aliee or Bob. With 
ANA-PHY-PCRAS, Eve’s key equivoeation ean be lower bounded as 

+ -vY 


H{K,b\Z, 


0 Y>L- 


logs 


Uv) 

if the introdueed artifieial noise is with the pdf of fv{x). 
Proof: It was shown in ll2^ that 


(55) 


L-l 

0 


(56) 


where /(A; 


lL-1 \ 


= 0 as {A + ^k}k=o Is independent of A, and the first term J(0 q ; y9Q qA) 


denotes the eoherent mutual information. By assuming a eoherent ehannel model of 0 = + r;, 

it ean be effieiently eomputed as 


jHYo ^-,^0 ^|A) = /(0;</^) 

= E^^^ log2 


p{Y\p) 

p{Y) 


= log 


piYW) 


'-,2 J _ 

M 




= log 2 M - E^^, 


log: 




= log2 M — E, 




log 


2 p(0|(^) 

fv{v) 


(57) 


By noting that /(0o ^'iPo < HYo ^'iPo tho conditional equivocation can be bounded 


as 


H{ICb\Z, 


L-l^ 


= 77(/Cb)-/(^o 

J2^enfv{p + v-f) 


> L-E. 


(p,V 


logs 


fv{v) 


(58) 


which could be strictly positive for a properly chosen distribution fv{x). 


V. Numerical Examples 
A. An Application Model for Getting the Shared Keys 

In developing ANA-PHY-PCRAS, we have assumed that Alice and Bob share two secret keys, 
namely, {1Ca,ICb}- In practical wireless network scenarios, it is interesting to investigate how 
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Alice 

(UE) 



Bob 

(eNB) 


MAC=nK(SQN II RAND || AMF) 


User Authentication Request 


{RAND,AUTN} 

AUTN=SQN© AK || AMF || MAC 


Verify AUTN 


and Comtiute RES 


User Authentication Response 


RES 


Compare RES with J ^RES 


RES=f2K(RAND) 


Fig. 4. A Typical Challenge-Response Authentication Process. 

Alice and Bob can share secrets before authentication. This, indeed, depends on the underlying 
wireless network. 

For 4G mobile networks, we consider a typical scenario where a user equipment (UE/Alice), 
wants to authenticate with an evolved Node-B (eNB/Bob). The possibility of sharing common 
secrets between Alice and Bob comes from the long-term secret key {K) stored on the Universal 
Subscriber Identity Module (USIM) and in the Authentication Center (AuC). The challenge- 
response authentication process can be depicted in Fig. HI As shown, a pair of shared keys 
{/Cyi, Kb} can be derived from the long-term key K, namely. 


Ka = /2^(RAND), 

Kb = /1k(SQN||RAND||AMF), 


(59) 


where RAND, SQN, AMF can be considered as random numbers, and /I, /2 are the message 
authentication function used to compute MAC and RES (XRES), respectively. Please refer to 
ETll for more details. 

B. Simulation Scenario 

Consider that the system operates at carrier frequency of 1.9 GHz with a bandwidth of W = 
20 MHz, which is divided into N = 2048 tones with a total symbol period of 108.8 /is, of 
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which 6.4 /iS constitutes the CP. Henee, Ng = 128 and Nf = N + Ng = 2176. N = 2048 
parallel subehannels are obtained using both IFFT and FFT. For ANA-PHY-PCRAS, L = 64 + 1 
subehannels with equal bandwidth interval {Ai = 32) are seleeted with the minimum normalized 
eorrelation of 0.7136 among L subchannels. For the modified ANA-PHY-PCRAS, L' = 16 + 1 
subehannels with equal bandwidth interval {Ai = 128) are seleeted with the minimum normalized 
eorrelation of 0.2468. To alloeate L = L'J sub-ehannels, we repeatedly employ sueh L' earriers 
at times to, fi, • • • , fj-i, where tj = to + j ■ 6T and 6T = lOTc = 48ms ean be employed for 
example. With the use of large 6T, the alloeated subehannels at different time slots eould be 
nearly uneorrelated. However, it should be noted that the use of large 5T eould eause notieeable 
end-to-end delay. In the ease of 6T = lOTc = 48ms and J = 4, the end-to-end delay is at least 
J ■ 5T = 192 ms, whieh is eomparable to the time delay due to authentieation in LTE ll27l . 

In simulations, we employ the ehannel model with exponentially deeaying power-delay profile, 
where a total of 20 multipaths are assumed, the normalized delays fi,i = 0,1, • • • , 19 are 
assumed to be uniformly and independently distributed over the length of CP (fi G [0, A^]), 
and ar = 0.5/iS. This ehannel model is eomparable to the urban ehannel defined in [fT^ . with 
20 multipaths and maximum delay spread of 2.14/iS. The path gains Q!i(f)’s are assumed to be 
eomplex-Gaussian distributed, whieh remain eonstant during one OFDM symbol but varying 
independently if the time interval between two OFDM symbols is larger than 5T. 



Fig. 5. Probability density functions of Tikhonov distributed artificial noise with different P’s. 


For the design of physieal layer authentieation sehemes, one should earefully balanee the 


February 19, 2016 


DRAFT 









25 



Fig. 6. Normalized equivocation about the key with ANA-PHY-PCRAS. 

three performanee metries, namely, the sueeessful authentication rate, the false acceptance rate 
and the (normalized) key equivocation ^H{Kb\Zq~^) for any eavesdropper. In most scenarios, 
the ideal Receiver Operating Characteristic (ROC) (successful authentication rate versus false 
acceptance rate) can be achieved without much difficulty in the working SNR region for the 
purpose of communications. Hence, the key equivocation, as a security metric, could be of the 
first importance for its use in practice. 

C. Key Equivocation 

We compute the key equivocation for ANA-PHY-PCRAS in the worst case scenario. As shown 
in (I55l) . it depends on the specified distribution of artificial noise. Fig. [5] shows the pdfs of the 
Tikhonov distributed artificial noise with different /S’s. Then, we plot the lower bound (1551) 
on the (normalized) key equivocation in Fig. for different /9’s, with both BPSK and QPSK 
constellations. As shown, the key equivocation achieves the maximum at /3 = 0, in which case the 
uniformly-distributed artificial noise over (—tt, vr] is employed. The key equivocation decreases 
when f) increases. When no artificial noise is introduced, the key equivocation is simply reduced 
to zero for this worst case scenario, which means that there is no guarantee of information- 
theoretic security for PHY-PCRAS ifT^ . Clearly, the use of higher-order modulation scheme can 
strengthen the system security as the key equivocation increases. 

We comment here that there is simply no guarantee of information-theoretic security for various 
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reported physical-layer authentication schemes /HI/, /0/ if Eve is very close to Bob and hence 
she can get a noise-free version of the transmitted signal by Bob, and in the same time the 
channel between Alice and Bob is unfortunately static over the period of authentication. 

D. ROC Performance 

Through extensive Monte-Carlo simulations, we investigate the pdfs of C under two hypothesis 
Hi,i = 0,1, whieh ean be well employed to evaluate both sueeessful authentication and false 
acceptance rates. The proper choice of the threshold t can also be determined from the pdfs of 

C- 



Fig. 7. Probability density functions of Cl^i and Cl^o at SNR = 5 dB for PHY-PCRAS. 

1) PHY-PCRAS, ANA-PHY-PCRAS and Modified ANA-PHY-PCRAS: With L = 64 + 1 sub¬ 
channels selected among N = 2048 OFDM subchannels (A£ = 32) for a single OFDM symbol, 
Fig. |7] shows empirical pdfs of and Cl-^o at SNR=5 dB for PHY-PCRAS, while Fig. [8] 
shows empirical pdfs of C\Hi and Cl-^^o at SNR=10 dB for ANA-PHY-PCRAS with fi = 1.5. 
In both figures, BPSK constellation is assumed. As claimed in Section-Ill, and Cl-^o 

are both Chi-square distributed. Hence, Chi-square distributions are also given in both figures, 
where |r/i|, = 0,1 are directly estimated through Monte-Carlo simulations lf22]l . As shown, 

the theoretical Chi-square distributions are coincided well with the empirical distributions even 
though L subchannels are correlated. Since the pdf of C,\Hi is far apart from that of C\Ho even 
at the SNR of 5 dB in Fig. |7l almost ideal ROC curve can be observed. With the introduction 
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Fig. 8. Probability density functions of Cl^^i and Cl^^o at SNR = 10 dB and /3 = 1.5 for ANA-PHY-PCRAS. 



Fig. 9. Successful authentication rate versus false acceptance rate at SNR=10 dB for ANA-PHY-PCRAS with different /3’s. 

of artificial noise, the ROC performance of ANA-PHY-PCRAS is clearly inferior to that of 
PHY-PCRAS as indicated by Fig. [U 

Next, we investigate the effeet of /9 on the ROC eurves for ANA-PHY-PCRA, which is 
depicted in Fig. for different /S’s. From both Fig. and Fig. we eonelude that there is a 
fundamental tradeoff between the ROC performanee and security, which is controlled by the 
amount of artificial noise (/9). 

In Fig. IS we have shown that the use of QPSK constellation is significantly superior to the use 
of BPSK constellation for the seeurity of ANA-PHY-PCRAS. Here, we show their ROC curves 
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Fig. 10. Comparison of ROC curves with ANA-PHY-PCRAS for both BPSK and QPSK constellations {p = 1.5). 


in Fig. [To] for ANA-PHY-PCRAS with both BPSK and QPSK constellations, where /3 = 1.5 is 
used. Noting that the use of QPSK eonstellation requires the size of key doubled compared to 
the use of BPSK eonstellation. As shown, the same ROC eurves are observed for both BPSK 
and QPSK. Henee, the use of higher order eonstellations ean significantly improve the seeurity 
of ANA-PHY-PCRAS, whieh is very helpful in praetieal scenarioes whenever the number of 
alloeated subchannels is not enough eompared to the size of the shared key. 



c 


Fig. 11. Probability density functions of (^\Hi and (^\Ho at SNR=10 dB with time-separated subchannel allocation (J = 4) 
and P = 1.5. 

We also consider the modified ANA-PHY-PCRAS, where L = L'J subchannels allocated for 
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four (J = 4) far-separated OFDM symbols with L' = 16 -f 1 subchannels allocated for each 
OFDM symbol. Fig. [TT] shows its empirical pdfs of C\Hi and C\Ho at SNR=10 dB and P = 1.5. 
Although the modified ANA-PHY-PCRAS can be better protected by the randomness of the 
physical channel (due to well-separated subchannels in both time and frequency), it, however, is 
slightly inferior to ANA-PHY-PCRAS in the ROC performance as indicated in Fig. [8] and Fig. 
nn due to noncoherent combining loss. 

2) The effect of practical imperfections: We consider practical imperfections in both the 
challenge and response stages. Imperfects at the receiver of Bob in the challenge stage are 
assume to be independent from the receiver of Alice in the response stage. 

In simulations, both the effects of carrier frequency offset and sampling offset are considered, 
while the sampling frequency offset is not considered, as its effect can be well included in the 
equivalent channel model as shown in (l4T]) . The residual carrier frequency offset 'd = AfTu is 
assumed to be uniformly distributed in [—The sampling offset is also uniformly 
distributed in By referring to (|4^ . the verification should be searched over the 

range of w, due to the sampling offsets introduced by the receivers at the sides of both Bob and 
Alice. Clearly, 

2^max^£ 

ZU G [ r<7jjiax) ^max]) ^max 27r X (60) 

With a step size of for search of w, there are candidate frequencies to be tested 

for maximizing ( (HH). 

In Fig. [13 the modified ANA-PHY-PCRAS is considered for J = 4, = 10, A£ = 128, 

•j^ m ax = 0.1 and P = 1.5. Clearly, w E 271 x [—0.625,0.625]. One can show that the SNR loss 
lf2^ due to both carrier frequency offset and sampling offset is negligible when the working 
SNR is 10 dB, which was verified by extensive simulations. 

By comparing Fig. [I2l with Fig. [HI there is actually minor difference between the scenarios 
of zero- and non-zero sampling/carrier frequency offsets for the empirical pdfs when is set 
to 200. Even with = 40, it still works with slightly degraded ROC performance. Therefore, 
the number of candidate frequencies to be tested can be very small for authentication, and the 
increase in complexity due to the search of frequency can be well controlled. 
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Fig. 12. Empirical probability density functions of and Cl^o at SNR=10dB (J = 4) and /3 = 1.5. 



Fig. 13. Comparison of the proposed ANA-PHY-PCRAS and PHY-CRAM for ROC curves at SNR=5 dB and L = 64. 


E. Comparison with PHY-CRAM 

As a mutual physical challenge-response authentieation seheme, the PHY-CRAM proposed 
in im was shown to be simple, low eomplexity, robust, and flexible. Hence, it is interesting to 
eompare ANA-PHY-PCRAS with PHY-CRAM. 

Fig. [13] shows the eomparison result in the ROC performanee at SNR=5 dB, where (3 = 1.5 
is used for ANA-PHY-PCRAS. Therefore, a normalized key equivocation of ^H{1Cb\Zq~^) > 
0.491 can be aehieved in the worst ease seenario. This, however, is not true for PHY-CRAM. Even 
with the introduction of artificial noise, ANA-PHY-PCRAS is still better than PHY-CRAM in 
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the ROC performance as shown in Fig. [13] Indeed, PHY-CRAM employs amplitude modulation, 
which is often worse than phase modulation in performance. For implementation, high peak 
fluctuations may occur with PHY-CRAM, due to the employment of amplitude modulation. 
Hence, it requires to suppress the high peak in practice with additional complexity. ANA-PHY- 
PCRAS, however, is more sensitive to the frequency offset compared to PHY-CRAM. 

VI. Conclusion 

In this paper, we proposed a novel ANA-PHY-PCRAS for practical OFDM transmission, where 
the Tikhonov-distributed artificial noise is introduced to interfere with the phase-modulated key 
for resisting potential key-recovery attacks. Thanks to the introduced artificial noise, the proposed 
ANA-PHY-PCRAS was proved to be secure even in the worst case scenario, where a static 
channel between Alice and Bob is assumed, and Eve can even get a noise-free version of the 
transmitted signal by either Alice or Bob. 

Various practical issues are addressed for ANA-PHY-PCRAS with OFDM transmission, in¬ 
cluding correlation among subchannels, imperfect carrier and timing recoveries. The effect of 
sampling offset was shown to be significant for the practical implementation of ANA-PHY- 
PCRAS, and a search procedure in the plane of frequency should be seriously considered for 
verification even with very small sampling offsets. We also proposed a modified ANA-PHY- 
PCRAS for time-separated subchannels, which shows its robustness in verification whenever the 
local oscillator at the receiver may change over time. 

Compared to the traditional challenge-response authentication scheme implemented at the up¬ 
per layer, we conclude that ANA-PHY-PCRAS (or its modified version) can be further protected 
by the uncertainty from both the wireless channel and introduced artificial noise, which is of 
information-theoretic nature and could not be broken even with unlimited computational power. 
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